SOLVED HOWTO: FreeNAS with Open Directory in Mac OS X environments

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
Hi,

here's a write-up about how to integrate a FreeNAS box into an Open Directory environment, including single-sign on support. I struggled a bit to make this work, this howto is intended for my own documentation and as reference for others who try to achieve the same thing. I believe that this should ultimately be included as a feature into the GUI.

[UPDATE 2020-09-06]:
Updated to reflect changes in FreeNAS 11.3.

As with FreeNAS 11.2, FreeNAS 11.3 has some breaking changes. The upgrade process will delete your Kerberos keytab file and some settings have been moved to a different place. You can get away by just re-uploading your keytab and change the relevant settings as noted below, but it is easiest to run through the entire setup again from top to bottom. Note the changes in the Samba configuration.

[UPDATE 2019-03-25]:
Added speedup suggestions to troubleshooting section.

[UPDATE 2019-03-08]:
Using the NetBIOS name instead of FQDN in the CIFS Kerberos principal greatly speeds up file and directory access. Updated instructions.

[UPDATE 2019-03-07]:
I upgraded to FreeNAS 11.2 and this version ships with Samba 4. The configuration is slightly different and I updated the instructions accordingly.

[UPDATE 2018-12-08]:
Created Tips & Troubleshooting section and moved several distributed comments over to make the text easier to read.


For reference, here is my setup:
  • I have a Mac mini that runs macOS Server. This machine provides directory and authentication services for the network. It doesn't have to be a separate machine, but for this howto I assume that you have a macOS server instance running somewhere.
  • I have several Macs that act as client machines. On these Macs any directory user can sign in by using the credentials stored in macOS server.
  • The FreeNAS box provides data storage to the network. Any user logged in on any Mac shall be able to use this machine without additional login steps.
Samba will only be used as CIFS server. Any directory services are supplied by macOS Server. Clients authenticate against macOS Server and then shall get immediate access (SSO-like) to Samba CIFS shares.

Steps to take:
  1. Use a fresh FreeNAS install. If you have an existing FreeNAS box, it is not necessary to kill your current setup, but I found that many setup variables easily create a hard-to-spot error. If you can't make it work, I suggest to start with a fresh test installation.
  2. Have a macOS Server instance that provides Open Directory services and has users and groups that can log in.
  3. Configure FreeNAS to use Open Directory for users and groups.
  4. Configure Kerberos realm on FreeNAS.
  5. Create Kerberos principals on your macOS server for each service you want to kerberize. Kerberized services will be single-sign-on.
  6. Export Kerberos principals and import them on FreeNAS.
  7. Setup services (example used here is Samba) to use the Kerberos principals for authentication.
  8. Read through the optimization suggestions at the very end and try them out
Each step is detailed below.

Names Used
  • Home network domain: home.net. This is set by your router and can be .local, fritz.box or similar.
  • macOS server name: server.home.net
  • Kerberos realm (determined by your macOS server name): SERVER.HOME.NET (note the capitalization!)
  • Distinguished name of macOS server in directory: dc=server,dc=home,dc=net (adjust this according to your server name)
  • Directory administrator account: diradmin (this is the default name - if you changed it, adjust accordingly)
  • Directory administrator's distinguished name: uid=diradmin,cn=users,dc=server,dc=home,dc=net (this is again the default, change according to your server's distinguished name)
  • FreeNAS server name: freenas.home.net
  • FreeNAS NetBIOS name: freenas
Configure Kerberos realm on FreeNAS
Navigate to Directory Services->Kerberos Realms. Create a new realm and switch to advanced mode.

Code:
Realm: SERVER.HOME.NET
KDC: server.home.net
Admin server: server.home.net
Password server: server.home.net


Save and ensure that there are no errors.

Navigate to Kerberos Settings and enter the following in "libdefaults auxiliary parameters":

Code:
default_realm = SERVER.HOME.NET
realm_try_domains = 1


Save and ensure that there are no errors.

Configure FreeNAS to use Open Directory
Most settings are already provided via GUI. In the FreeNAS web GUI, navigate to Directory Services->LDAP. Switch to advanced mode. Populate the following settings:

FreeNAS versions up to and including 11.2:

Code:
Hostname: server.home.net
Base DN: dc=server,dc=home,dc=net
Bind DN: uid=diradmin,cn=users,dc=server,dc=home,dc=net
Bind Password: <password of the directory admin account>
User suffix: cn=users
Group suffix: cn=groups
Password suffix: cn=users
Machine suffix: cn=computers
Allow anonymous binding: checked


FreeNAS versions 11.3 and newer:

Code:
Hostname: server.home.net
Base DN: dc=server,dc=home,dc=net
Bind DN: uid=diradmin,cn=users,dc=server,dc=home,dc=net
Bind Password: <password of the directory admin account>
Allow anonymous binding: checked


Ensure that your realm is selected and that the "enable" flag is checked. Save settings. You can ignore the "no samba attributes" warning, it is not relevant to this setup.

Important: This setup binds to LDAP with the diradmin credentials. You should either use SSL to prevent that the admin password is transmitted in cleartext over the network. I haven't documented that step here. Alternatively, you could even kerberize LDAP (which I haven't tried yet).

Before moving on, you need to test that LDAP actually works. In order to do this, open a shell on FreeNAS and type "getent passwd". The command should list BOTH your system and LDAP users. If you do not see your LDAP users, your configuration is not working. Repeat and check for errors before moving on.

When typing "klist", you should also already see a ticket granting ticket for diradmin.

Create and export Kerberos Principals on your macOS Server
Open a shell on your macOS server. Use the following command to create a new principal for SMB:
sudo krbservicesetup -x -r SERVER.HOME.NET -a diradmin -p <admin password> cifs cifs/freenas@SERVER.HOME.NET

Make sure to replace freenas.home.net with the host name of your FreeNAS box and SERVER.HOME.NET with your realm.

sudo kadmin -l
kadmin> modify --attributes=-disallow-svr cifs/freenas@SERVER.HOME.NET
kadmin> ext_keytab --keytab=cifs_freenas.keytab cifs/freenas@SERVER.HOME.NET
kadmin> exit


The principal that is created by krbservicesetup by default does not allow creation of tickets. This is fixed by the first command in kadmin. The second command exports the principal to a keytab file.

Upload this file to your FreeNAS box in Directory Services->Kerberos Keytabs. You need to assign a name to the keytab, I assume "cifs_freenas" in the following sections.

Again, ensure that your setup works. On the FreeNAS box, open a shell and type:


kinit diradmin
kgetcred cifs/freenas@SERVER.HOME.NET
klist


Ensure that all commands proceed without errors and that klist shows a ticket granting ticket for diradmin as well as a ticket for cifs/freenas@SERVER.HOME.NET. Proceed only if both tickets are available, otherwise check and repeat.

Set up Samba for Kerberos [FreeNAS versions up to 11.1]
In the FreeNAS web GUI, navigate to Services->SMB. In the auxiliary parameters, enter the following:

Code:
security = ADS
realm = SERVER.HOME.NET
kerberos method = dedicated keytab
dedicated keytab file = /etc/kerberos/cifs_freenas


Set up Samba for Kerberos [FreeNAS versions 11.2]
In the FreeNAS web GUI, navigate to Services->SMB. In the auxiliary parameters, enter the following:

Code:
security = USER
realm = SERVER.HOME.NET
kerberos method = dedicated keytab
dedicated keytab file = /etc/kerberos/cifs_freenas
encrypt passwords = yes
idmap config * : backend = tdb


Set up Samba for Kerberos [FreeNAS versions 11.3 and up]

Code:
security = USER
realm = SERVER.HOME.NET
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
encrypt passwords = yes
idmap config * : backend = tdb

ldap user suffix = cn=users
ldap group suffix = cn=groups
ldap machine suffix = cn=computers


Samba setup, continued

Make sure that the dedicated keytab file is actually located where you specify. On FreeNAS versions up to and including 11.2, the keytab is stored in /etc/kerberos and the file name is identical to the name you specify in the Kerberos Keytab configuration page. On FreeNAS 11.3, the keytab is hardwired to /etc/krb5.keytab.

Activate the SMB services in the "Control Services" pane and ensure that there are no errors.

Final Check
Add a new Samba share. Reboot FreeNAS and relogin on your client machines to ensure that your setup works from scratch and that there are no leftovers from intermediate configuration steps. You should now see FreeNAS in Finder. If you click on your FreeNAS box and then double-click on your test share, you should not be asked for login credentials. At the top of the Finder window, your Mac user name should appear.

Done!

Tips & Troubleshooting
  • Cannot mount share from finder (resource not found): In finder, choose "Go -> Connect to Server..." and enter "smb://freenas/share_name". Click Connect. This will directly mount the share, authenticate and also allow browsing via Finder afterwards. If no share is mounted, Finder will for some reason refuse to use the existing Kerberos ticket and I haven't found a way to force it to do so. As soon as the first share is mounted, the workaround is not necessary until the next reboot.
  • Setup suddenly stops working after a macOS update (system update or Server.app update): System updates on the Mac server often invalidate the Kerberos keytabs. Recreating the Kerberos principals, creating a new keytab file and uploading the keytab to FreeNAS should fix it.
  • Setup suddenly stops working after a FreeNAS update: FreeNAS keeps changing the location of settings, sometime settings are also not properly carried over after an upgrade. Oftentimes the upgrade process deletes the keytab. It is easiest to re-run through the entire setup from top to bottom.
  • Shares are slow to mount: Try using the NetBIOS name instead of the FQDN in your Kerberos principal. For example, if your NetBIOS name is "freenas" and your FQDN is "freenas.home.net", do not use cifs/freenas.home.net@SERVER.HOME.NET as your principal but cifs/freenas@SERVER.HOME.NET. I am not sure why but it seems that NetBIOS names are tried first when looking for an existing service principal. A principal using FQDN will work, too, but takes a lot longer to authenticate.
  • Directory browsing is slow: Disabling extended attributes and disabling strict syncing will speed up directory browsing A LOT, especially if you have directories with tons of files in them. Refer to the Samba manual if you need them - chances are, you won't. Extended attributes are typically only required in setups that try to make use of DOS file attributes. Pure Mac environments do not use these. Strict syncing will wait for all pending writes to be written to disk until a file system call returns. ZFS syncs every couple of seconds. This means that if your server crashes during a write operation, all changes since the last sync operation are lost. For my personal use, the speed-up far outweighs the potential downside. Here are the configuration options (to be set in SMB's auxiliary parameters):
    Code:
    ea support = no
    store dos attributes = no
    map archive = no
    map hidden = no
    map readonly = no
    map system = no
    strict sync = no
 
Last edited:

blacs30

Dabbler
Joined
Mar 12, 2017
Messages
22
Hi tigloo,
thanks for this write up. This works perfectly even on macOS Sierra, just tried it! - Freenas9
Have you had a look in Freenas10 for this kind of setup yet? I wasn't able yet to set it up fully.
Here is a start of someone who got it working but with FreeIPA not Open Directory.
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
I didn't try with FreeNAS 10 yet, I was going to wait until FreeNAS 10.1 or so is released and then upgrade my box. As soon as I manage to get it working, I can update the instructions.

I was hoping for this to become part of FreeNAS' configuration tool but it seems that interest is minimal.

Which problems did you see with FreeNAS 10?
 

blacs30

Dabbler
Joined
Mar 12, 2017
Messages
22
FreeNAS 10 doesn't have the auxiliary parameters, that is one problem to add the above parameters, but for testing I edited the krb5.conf directly.

The LDAP setup via CLI allows to add a krb_principal but no realm (the GUI doesn't allow this). As I understand the doc from 9.10 and I guess it might be similiar here I have created a host keytab. (I am not fully sure if I understood that correctly. This way principal I've created: host/osxserver.test.com@OSXSERVER.TEST.COM )

The keytab files can be added via CLI, before that scp was needed to get them on the FreeNAS machine.

LDAP is working fine as long as I don't add the krb_principal. When the krb_principal was added LDAP is not working anymore, removing the krb_principal doesn't make LDAP working again. All params have to be removed and then you can try it again.

Seems not ready yet.
...


I got AFP kerberos half working. LDAP without the krb_principal was active. My Mac users login via OD account and when opening an AFP share the password prompt opened but the entered password didn't play any role - the share was opened.

Guess I have to file a bug report for the first part.
 

areis

Dabbler
Joined
May 1, 2014
Messages
33
I am very interested in this as well because I run a mac mini server (10.12.3) with open directory and a freenas (9.10 currently) server. The other issue I have is smb shares and Samba schema. I'm not clear on how to make it work. As a temporary solution I have created users on the freenas server that match the users in the open directory exactly.
 

blacs30

Dabbler
Joined
Mar 12, 2017
Messages
22
Hi Areis,
With your versions mentioned the how to is working fine of tigloo.(just scroll up to the top) you don't need to mess around with the samba schema.

The requirement is only that the account on the Mac has a valid Kerberos ticket. If you have users who authenticate against the OD of your Mac mini that requirement is given. If it is a local user on your Mac mini you could create a ticket via terminal kinit or ticket viewer in keychain.

Does it help? Feel free to pm as well. (Of course gathering solutions here too)
 

biped

Dabbler
Joined
Dec 20, 2015
Messages
10
Hmmm, I have freenas corral - stable on a vm, and can help test. Just for fun I got the ldap bits working with the opendirectory, but when trying to connect to smb shares from a mac workstation.. things fail. But only have a couple hours playing with the corral ... haven't set up ssh access yet, just cli and gui ( seems like the gui doesn't want to update settings sometimes .. could be me with firefox ??? ). Anyways, eagerly watching this thread.
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
FreeNAS 10 doesn't have the auxiliary parameters, that is one problem to add the above parameters, but for testing I edited the krb5.conf directly.

Seeing that FreeNAS Corral has been released, I'll wait until U1 or U2 before I upgrade and then I'll have a go at it. I'll update my post if I'm able to get it working again.
 

areis

Dabbler
Joined
May 1, 2014
Messages
33
Hi Areis,
With your versions mentioned the how to is working fine of tigloo.(just scroll up to the top) you don't need to mess around with the samba schema.

The requirement is only that the account on the Mac has a valid Kerberos ticket. If you have users who authenticate against the OD of your Mac mini that requirement is given. If it is a local user on your Mac mini you could create a ticket via terminal kinit or ticket viewer in keychain.

Does it help? Feel free to pm as well. (Of course gathering solutions here too)
Thank you very much. I'll give it a try next week when I have more time.
 

Ashley Drees

Dabbler
Joined
Oct 6, 2015
Messages
20
Thanks for this very useful HowTo - i have now upgraded to Corral and have ldap working - and my next step will be kerb. I'd be very interested to know how this goes and will be watching this thread - i have not yet been able to set this up - the walk through is for setting up cifs - what would one use to set up afp?

afp/freenas.home.net @SERVER.HOME.NET rather than cifs/freenas.home.net@SERVER.HOME.NET?
 

areis

Dabbler
Joined
May 1, 2014
Messages
33
Awesome, awesome, awesome! I have been waiting patiently for this solution since I built my freenas box.

https://forums.freenas.org/index.ph...ecting-freeness-ldap-to-open-directory.20611/

I can't thank you enough tigloo!

I have 3 questions to really fine tune this:

1. Can you share the details/settings of your SMB Service?
2. Can you give step by step instructions on how to import a certificate into FreeNas that I export from my macOS Server (SSL/TLS)?
3. Will this continue to work if I update to Corral?

Again, thanks a million!
 
Last edited:

strikeing_789d

Dabbler
Joined
Apr 7, 2017
Messages
13
Hi,

here's a write-up about how to integrate a FreeNAS box into an Open Directory environment, including single-sign on support. I struggled a bit to make this work, this howto is intended for my own documentation and as reference for others who try to achieve the same thing. I believe that this should ultimately be included as a feature into the GUI.

For reference, here is my setup:
- I have a Mac mini that runs macOS Server. This machine provides directory and authentication services for the network. It doesn't have to be a separate machine, but for this howto I assume that you have a macOS server instance running somewhere.
- I have several Macs that act as client machines. On these Macs any directory user can sign in by using the credentials stored in macOS server.
- The FreeNAS box provides data storage to the network. Any user logged in on any Mac shall be able to use this machine without additional login steps.

Steps to take:
- Use a fresh FreeNAS install. If you have an existing FreeNAS box, it is not necessary to kill your current setup, but I found that many setup variables easily create a hard-to-spot error. If you can't make it work, I suggest to start with a fresh test installation.
- Have a macOS Server instance that provides Open Directory services and has users and groups that can log in.
- Configure FreeNAS to use Open Directory for users and groups.
- Configure Kerberos realm on FreeNAS.
- Create Kerberos principals on your macOS server for each service you want to kerberize. Kerberized services will be single-sign-on.
- Export Kerberos principals and import them on FreeNAS.
- Setup services (example used here is Samba) to use the Kerberos principals for authentication.

Configure Kerberos realm on FreeNAS
Navigate to Directory Services->Kerberos Realms. Create a new realm and switch to advanced mode.

Code:
Realm: <name of your realm, for example SERVER.HOME.NET. note the capitalisation!>
KDC: <host name of your macOS server, such as server.home.net>
Admin server: <host name of your macOS server, such as server.home.net>
Password server: <host name of your macOS server, such as server.home.net>


Save and ensure that there are no errors.

Navigate to Kerberos Settings and enter the following in "libdefaults auxiliary parameters":

Code:
default_realm = SERVER.HOME.NET
realm_try_domains = 1


Save and ensure that there are no errors.

Configure FreeNAS to use Open Directory

This is again easy as most settings are already provided via GUI. In the FreeNAS web GUI, navigate to Directory Services->LDAP. Switch to advanced mode. Populate the following settings:

Code:
Hostname: <the host name of your macOS Server>
Base DN: <distinguished name of your server. My server is "server.home.net", so the DN is "dc=server,dc=home,dc=net">
Bind DN: <distinguished name of your directory admin account. On macOS Server, the directory admin is typically "diradmin", so the field would be "uid=diradmin,cn=users,dc=server,dc=home,dc=net">
Bind Password: <password of the directory admin account>
User suffix: cn=users
Group suffix: cn=groups
Password suffix: cn=users
Machine suffix: cn=computers
Allow anonymous binding: checked


Ensure that your realm is selected and that the "enable" flag is checked. Save settings. You can ignore the "no samba attributes" warning, it is not relevant to this setup.

Important: This setup binds to LDAP with the diradmin credentials. You should either use SSL to prevent that the admin password is transmitted in cleartext over the network. I haven't documented that step here. Alternatively, you could even kerberize LDAP (which I haven't tried yet).

Before moving on, you need to test that LDAP actually works. In order to do this, open a shell on FreeNAS and type "getent passwd". The command should list BOTH your system and LDAP users. If you do not see your LDAP users, your configuration is not working. Repeat and check for errors before moving on.

When typing "klist", you should also already see a ticket granting ticket for diradmin.

Create and export Kerberos Principals on your macOS Server
Open a shell on your macOS server. Use the following command to create a new principal for SMB:
sudo krbservicesetup -x -r SERVER.HOME.NET -a diradmin -p <admin password> cifs cifs/freenas.home.net@SERVER.HOME.NET

Make sure to replace freenas.home.net with the host name of your FreeNAS box and SERVER.HOME.NET with your realm.

sudo kadmin -l
kadmin> modify --attributes=-disallow-svr cifs/freenas.home.net@SERVER.HOME.NET
kadmin> ext_keytab --keytab=cifs_freenas.keytab cifs/freenas.home.net@SERVER.HOME.NET
kadmin> exit


The principal that is created by krbservicesetup by default does not allow creation of tickets. This is fixed by the first command in kadmin. The second command exports the principal to a keytab file.

Upload this file to your FreeNAS box in Directory Services->Kerberos Keytabs. You need to assign a name to the keytab, I assume "cifs_freenas" in the following sections.

Again, ensure that your setup works. On the FreeNAS box, open a shell and type:


kinit diradmin
kgetcred cifs/freenas.home.net@SERVER.HOME.NET
klist


Ensure that all commands proceed without errors and that klist shows a ticket granting ticket for diradmin as well as a ticket for cifs/freenas.home.net@SERVER.HOME.NET. Proceed only if both tickets are available, otherwise check and repeat.

Set up Samba for Kerberos
In the FreeNAS web GUI, navigate to Services->SMB. In the auxiliary parameters, enter the following:

Code:
security = ADS
realm = SERVER.HOME.NET
kerberos method = dedicated keytab
dedicated keytab file = /etc/kerberos/cifs_server


Make sure that the dedicated keytab file is actually located where you specify. The file name relates to what you enter in the Kerberos Keytab configuration page.

Activate the SMB services in the "Control Services" pane and ensure that there are no errors.

Final Check
Add a new Samba share. Reboot FreeNAS and relogin on your client machines to ensure that your setup works from scratch and that there are no leftovers from intermediate configuration steps. You should now see FreeNAS in Finder. If you click on your FreeNAS box and then double-click on your test share, you should not be asked for login credentials. At the top of the Finder window, your Mac user name should appear.

Done!

Edits:
- Changed the flow so that the Kerberos realm is configured first, because it needs to be selected in the LDAP configuration afterwards.


Great write up! However is there a way to do exactly this but instead of having the freeNAS box available to all signed in users as a share. I want to use the box as a location for user home folder storage. In other words:

Current setup: Mac Xserve running Open Directory => User home folders (data) is currently being stored on a external HDD via firewire 800 connected to the server.

Goal: Mac Xserve running Open Directory => User home folders (data) stored on freeNAS machine from a share or mount.

I have tried it 1 thousand and 1 times but I cannot get a user to sign in to save my life.

In workgroup manager I successfully pointed a user to the share in the "home" tab. I know this because when I press "create home now" and click "save" I can see the users folder(s) being created on the share automatically. However it doesn't create all folders like it does when I had it pointed to the external HDD. Seems like it will work right ....EHH! so I go and try to sign in and authentication works but it says "error you unable to log into the account because of an error!" so back to square one I go.

I have searched everywhere and I have tried so many different options. I really do hope someone can help me, even if you can't just please reply so I know someone out there read this.

Thanks
 

blacs30

Dabbler
Joined
Mar 12, 2017
Messages
22
I have searched everywhere and I have tried so many different options. I really do hope someone can help me, even if you can't just please reply so I know someone out there read this.

Thanks

I read your post. I watch this thread, hoping for a solution or hint how to get tigloo's solution to work on Corral.
Seems you're running a version of Mac OS X Server, correct?
 

areis

Dabbler
Joined
May 1, 2014
Messages
33
I have a question concerning the SMB Service:

Should I enable/check
1) Unix extensions
2) Obey pam restrictions

FreeNAS server as below. I have several client Macs (10.12.5) and a Mac mini (10.12.5) running server (5.3.1) and Open Directory.
 

Ashley Drees

Dabbler
Joined
Oct 6, 2015
Messages
20
Tigloo.

I am trying to get this working on our setup - FreeNAS 11 + OSX OD setup. it all goes well till i get to the modify --attributes=-disallow-svr - in kadmin... i end up with

kadmin> modify --attributes=-disallow-svr cifs/freenas.domain.tld@OD.DOMAIN.TLD
kadmin: mod cifs/freenas.domain.tld@OD.DOMAIN.TLD: Principal does not exist

any ideas about this - or just pointers to some documentation - in kadmin i CAN modify --attributes for a mac os server in the domain but only get this error when trying to set up the freenas - is there a step needed to add the freenas.domain.tld to the kerb setup?

i DID fine that "man krbservicesetup" tells me that cifs is not understood by krbservicesetup - but this might be a blind ally.

The service_types understood by krbservicesetup are:
afp Apple Filing Protocol
ftp File Transfer Protocol
imap IMAP mail protocol
pop POP mail protocol
smtp SMTP mail protocol
ssh Secure Shell
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
Hi Ashley,

if it fails on the modify line with the message that the principal doesn't exist, the principal isn't there yet so it cannot be modified. The previous command (krbservicesetup) is supposed to create it . Did you execute it and did you get any error message?

As for krbservicesetup not supporting CIFS, this is only half true. Krbservicesetup is designed to automatically configure all of MacOS for SSO support of the various protocols that are listed. To setup SSO, it does more than just creating principal, it will also reconfigure the services running on the same MacOS server to use that principal. For some reason it doesn't support CIFS for the whole autoconfig procedure. However, you can still use the tool to only create the principal and the service itself is running on FreeNAS anyway. In fact you have to do it via krbservicesetup because kadmin won't be able to create it in such a way that you can use it afterwards (at least I couldn't find a way how to create it by using kadmin).

Can you check that krbservicesetup actually works? If you don't get an error message, list all principals in the database and delete all entries that seem to collide. I have had problems with capitalization (CIFS instead of cifs), half-created principals (principal was in the database but not with all needed keytypes which cause krbservicesetup and kadmin to choke) and others and sometimes it's very painful to find the true root cause.

Kerberos can be hard and Apple made it harder if you want to have it working together with non-Apple elements.
 

Ashley Drees

Dabbler
Joined
Oct 6, 2015
Messages
20
tigloo. thanks again for your work here, i am still trying to get it working with FreeNAS 11... so far i have everything you wrote up testing out fine but still no SMB the main issue (it think it is) i am seeing here is the following - which i am unsure how to approach, from the main samba log.

[2017/08/30 14:29:37.270601, 1] ../source3/passdb/pdb_ldap_util.c:236(add_new_domain_info)
add_new_domain_info: failed to add domain dn= sambaDomainName=FREENAS,dc=od,dc=domain,dc=tld with: Invalid DN syntax
invalid DN

I am about to give up on this and try other NAS softwares, i must have both afp and smb on our nas - we do not have AD and all we want is our NAS to get our users from OD - if this would only work easily all the mac server users would flock to it... however, it does not seem really simple to get smb shares working using OD accounts.
 

areis

Dabbler
Joined
May 1, 2014
Messages
33
tigloo. thanks again for your work here, i am still trying to get it working with FreeNAS 11... so far i have everything you wrote up testing out fine but still no SMB the main issue (it think it is) i am seeing here is the following - which i am unsure how to approach, from the main samba log.

[2017/08/30 14:29:37.270601, 1] ../source3/passdb/pdb_ldap_util.c:236(add_new_domain_info)
add_new_domain_info: failed to add domain dn= sambaDomainName=FREENAS,dc=od,dc=domain,dc=tld with: Invalid DN syntax
invalid DN

I am about to give up on this and try other NAS softwares, i must have both afp and smb on our nas - we do not have AD and all we want is our NAS to get our users from OD - if this would only work easily all the mac server users would flock to it... however, it does not seem really simple to get smb shares working using OD accounts.
Check the output of

sudo ktutil list

from a terminal on the macOS server. This will list all the principals.
 
Last edited:

areis

Dabbler
Joined
May 1, 2014
Messages
33
Also, make sure that the dedicated keytab file is actually located where you specify in Services->SMB->auxiliary parameters

i.e. /etc/kerberos/cifs_server on the freeNAS server.
 

Ashley Drees

Dabbler
Joined
Oct 6, 2015
Messages
20
Again, thanks for this, i went back to the very beginning and deleted all principles etc listed for my FreeMESS - then JUST created one cifs. key tab and then walked through everything else - and now i too can use smb to connect to my FreeMESS.. however, ONLY from mac workstations - is there any reason why windows 10 might fail - i AM trawling logs etc to see what is happening but so far it gets into a loop asking me for an id (which works on a mac).

Listing all the principles "sudo ktutil list | grep hostname"
Deleting various principles "sudo ktutil remove -p afp/freenas.domain.tld@OD.DOMAIN.TLD"
 
Top